10/769,103 



MS307669 .0 1 /MSFTP2 1 93US 



Amendments to the Claims 
This listing of claims will replace all prior versions of claims in the application: 
Listing of Claims: 

1 . (Previously Presented) A computer implemented system for determining whether a 
packed executable is malware, the system comprising: 

a malware evaluator for determining whether incoming data is malware, wherein the 
incoming data directed to a computing device is intercepted by the malware evaluator; and 

an unpacking module that receives a packed executable from the malware evaluator and 
returns an unpacked executable corresponding to the packed executable; 

wherein the malware evaluator, upon receiving incoming data, can at least in part 
determine whether the incoming data is a packed executable, and if so, the malware evaluator 
provides the packed executable to the unpacking module such that an unpacked executable can 
be received from the unpacking module, such that the malware evaluator can determine whether 
the unpacked executable is malware. 

2. (Withdrawn) A system for unpacking a packed executable for evaluation as malware, the 
system comprising: 

a set of unpacker modules, the set of unpacker modules comprising at least one unpacker 
module and wherein each unpacker module corresponds to executable code for unpacking a 
particular type of packed executable; and 

an unpacking manager, wherein the unpacking manager, upon obtaining a packed 
executable, selects an unpacker module from the set of unpacker modules to unpack the packed 
executable according to the type of the packed executable, and executes the selected unpacker 
module which generates an unpacked executable corresponding to the packed executable. 
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3. (Withdrawn) The system of Claim 2, wherein each unpacker module in the set of 
unpacker modules implements a confirmation interface routine for confirming whether the 
unpacker module is capable of unpacking the packed executable; and 

wherein the unpacking manager selects an unpacker module from the set of unpacker 
modules to unpack the packed executable by: 

iteratively calling the confirmation interface routine of each unpacker module in 
the set of unpacker modules until an unpacker module responds affirmatively to the call of its 
confirmation interface routine indicating that it can unpack the packed executable; and 

selecting that unpacker module that responded affirmatively. 

4. (Original) A method for determining whether incoming data is malware, the method 
comprising: 

intercepting incoming data directed to a computing device; 
determining whether the incoming data is a packed executable; and 
if the incoming data is a packed executable: 

generating an unpacked executable, the unpacked executable corresponding to the 
packed executable; and 

determining whether the packed executable is malware by evaluating whether the 
unpacked executable is malware. 

5. (Withdrawn) A method for unpacking a packed executable for evaluation as malware, the 
method comprising: 

obtaining a packed executable; 

selecting an unpacker module from a set of unpacker modules operable to unpack the 
packed executable; and 

executing the selected unpacker module, thereby generating an unpacked executable 
corresponding to the packed executable. 
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6. (Withdrawn) An extensible unpacking module for unpacking a packed executable for 
evaluation as malware, the system comprising: 

an set of unpacker modules comprising at least one unpacker module, wherein each 
unpacker module corresponds to executable code for unpacking a packed executable of a 
particular typG, wherein the set of unpacker modules is dynamically extensible such that 
unpacker modules may be selectively added or removed to the set of unpacker modules; and 

an unpacking manager, wherein the unpacking manager, upon obtaining a packed 
executable, selects an unpacker module from the set of unpacker modules to unpack the packed 
executable according to the type of the packed executable, and executes the selected unpacker 
module which generates an unpacked executable corresponding to the packed executable. 

7. (Previously Presented) The system of Claim 1, wherein the returned unpacked executable 
corresponding to the packed executable is based at least in part on code or data derived from 
employing an unpacker other than the loader/unpacker received with the packed executable. 

8. (Previously Presented) The system of Claim 7, wherein the employed unpacker is 
selected from a group of at least one modularized unpacker modules germane to unpacking a 
packed executable of a particular type and fixrther germane to unpacking a packed executable 
that has been intercepted by the malware evaluator. 

9. (Previously Presented) The system of Claim 1 , wherein the intercepted incoming data 
resides only in one or more logically or physically isolated memory stores such that the 
intercepted incoming data can be located at a computer but does not actually "reach" the 
computer. 

10. (Previously Presented) The system of Claim 9, wherein the one or more isolated memory 
stores comprise at least one of a random access memory, a floppy disk, a flash memory storage 
device, magnetic tape, a quarantine area of a hard drive, a logical partition of a hard drive, or 
combinations thereof. 
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1 1 . (Previously Presented) The system of Claim 1 , wherein the unpacked executable 
generated by the unpacking module corresponds to a complete packed executable and not just a 
portion thereof. 

12. (Previously Presented) The system of Claim 11, wherein the generated unpacked 
executable corresponding to a complete unpacked executable is unpacked without executing any 
portion thereof. 

13. (Previously Presented) The system of Claim 1, wherein the malware evaluator determines 
whether the incoming data is malware without unpacking the incoming data if the incoming data 
is determined not to be a packed executable. 

14. (Previously Presented) The system of Claim 1 , wherein the incoming data can be 
intercepted from at least one data source including a wired computer network, a wireless 
computer network, and distributable media further including a floppy disk, a flash memory 
storage device, a CD-ROM disk, a CD-RW disk, a magnetic tape, a DVD-ROM disk, a DVD- 
RW disk, or combinations thereof. 

15. (Previously Presented) The system of Claim 1, further comprising, first determining 
whether the incoming data is known malware before determining if the incoming data is a 
packed executable, and if not, then determining if the incoming data is a packed executable. 

16. (Previously Presented) The system of Claim 15, wherein anti- virus software can be 
employed in determining whether the incoming data is malware. 

17. (Previously Presented) The system of Claim 16, wherein the determining by anti-virus 
software can be by signature or pattern recognition processes. 

18. (Previously Presented) An electronic device comprising the system of Claim 1 , such that 

the electronic device can be placed between a network and a computer device to facilitate 
intercepting data directed to a computing device. 
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19. (Previously Presented) The method of Claim 4, further comprising, first determining 
whether the incoming data is known malware before determining if the incoming data is a 
packed executable. 

20 (Previously Presented) The method of Claim 4, wherein generating an unpacked 
executable at least in part employs an unpacker other than the loader/unpacker received with the 
packed executable 

21 . (Previously Presented) The method of Claim 20, wherein the employed unpacker is 
selected from a group of at least one modularized unpacker modules germane to unpacking a 
packed executable of a particular type and further germane to unpacking a packed executable 
that has been intercepted. 

22 (Previously Presented) The method of Claim 4, wherein intercepting incoming data 
intercepts data as it arrives at the computing device from a network or a distributable media. 

23. (Previously Presented) The method of Claim 4, wherein generating the unpacked 
executable occurs without executing any portion of the unpacked executable. 

24. (Previously Presented) The method of Claim 4, wherein the unpacked executable 
corresponds to a complete packed executable and not just a portion thereof. 
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